This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Multiple registered redirect URIs

Mar 2nd, 2012, 05:49 AM

Hi,

OAuth2 specification (v2-23) seems to say that multiple redirect URIs can be pre-registered with the provider.

If multiple redirection URIs have been registered, if only part of
the redirection URI has been registered, or if no redirection URI has
been registered, the client MUST include a redirection URI with the
authorization request using the "redirect_uri" request parameter.

When a redirection URI is included in an authorization request, the
authorization server MUST compare and match the value received
against at least one of the registered redirection URIs (or URI
components) as defined in [RFC3986] section 6, if any redirection
URIs were registered. If the client registration included the full
redirection URI, the authorization server MUST compare the two URIs
using simple string comparison as defined in [RFC3986] section 6.2.1.

Is this possible with Spring OAuth?

(It seems it only possible to pre-register one redirect URI, because the ClientDetails interface only has a property for one webServerRedirectUri.)

Comment

Some of the potential users of the ORCID REST API are publishers. In some cases they have several hundred or even thousands of different journals that will interact with the ORCID API, which will be using Spring Security OAuth.

They have asked if they can use one client ID for all of their journals, because that will be easier for them to manage. However, they want users to be redirected back to the correct journal after they have authorized access to their data.

So, we'd like to allow them to register a different redirect URI for each journal. They would pass the redirect URI for the journal when they send the user to ORCID for authorization, and we would like to validate that against a list of allowed values for the client.

Best regards,

Will

Comment

I see. I guess your client could register a single callback and then bounce from there to the selected journal quite easily (that's quite normal I think), so this doesn't seem like a showstopper. But we can think about multi-valued redirects for the framework as well. It doesn't have a high priority for me right now, but feel free to open a JIRA for tracking the requirement. If you want to contribute some code read the README and fill in the contributor's agreement.